DNS leak flaws are outside of bug-bounty scope

Updated Kaspersky's Android VPN app whispered the names of websites its 1,000,000-plus users visited along with their public IP addresses to the world's DNS servers.

The antivirus giant duly fixed up the blunder when a researcher reported it via the biz's bug bounty program – for which he received zero dollars and zero cents as a reward.

Version 1.4.0.216 and earlier of the "Kaspersky VPN – Secure Connection" tool did not route DNS lookups through the secure tunnel. That means if you were using the VPN software to hide your public IP address, and thus clues to your identity, from the public internet, well, it let you down.

Whenever you would visit a website, say, supercyberotters.org, from your device with Kaspersky's VPN enabled, and your browser needed to look up the IP address of the domain name, it would reach out to a DNS server, such as one provided by your Wi-Fi, your cellular network, or yourself. That lookup would not be run through the VPN tunnel, though, so the DNS service would be able to log the domain names of the sites you were visiting, and when, against your public IP address.

Really, the DNS lookups should have been routed through the secure VPN tunnel, along with your connections to the websites – and the app was fixed in 1.4.0.453 and later, released before the end June, according to messages sent by Kaspersky Lab staff that we've seen. Thus, make sure you're running the latest build.

Judging from conversations between Mishra and Kaspersky Lab staffers, seen by The Register this week, the Russian software giant decided to give him extra HackerOne reputation points, and declined to hand over cold coin.

"I believe this vulnerability leaks traces of a user who wants to remain anonymous on the internet," Mishra told El Reg in an email on Thursday. "I reported this vulnerability on April 21, four months ago, via HackerOne, and a fix was pushed out but no bounty was awarded."

And we can see why, unfortunately: according to the rules of the bug bounty, you can land up to $10,000 for finding a flaw that leaks sensitive data. Unfortunately for Mishra, this data is defined as user passwords, payment information, and authentication tokens – and not IP addresses and domain-name lookups. Even though a VPN toolkit like Kaspersky Lab's is supposed to shield people's IP addresses and domain-name lookups.

A spokesperson for Kaspersky Lab said she was unable to comment when we contacted the organization.

The Russian security house wouldn't be the first biz to be accused of short-changing security researchers regarding vulnerability disclosures. In June, a pair of experts put multi-factor-token maker Yubico on blast after the vendor used their WebUSB security bug report to claim a bounty for itself from Google.

Yubico later apologized, and gave the researchers credit for the discovery. ®

Updated to add

A spokesperson for Kaspersky Lab has been in touch to say the VPN tool is completely outside the scope of the bug bounty:

Kaspersky Lab would like to thank Dhiraj Mishra for discovering a vulnerability in the Android-based Kaspersky Secure Connection app, which allowed a DNS service to log the domain names of the sites visited by users. This vulnerability was responsibly reported by the researcher, and was fixed in June.

The Kaspersky Secure Connection app is currently out of the scope of the company’s Bug Bounty Program, so we could not reward Dhirai under the current rules. We highly appreciate his work, and in the future the program may include new products. As stated in Kaspersky Lab’s Bug Bounty Program rules, bounties are currently paid for two major products: Kaspersky Internet Security and Kaspersky Endpoint Security. The company is ready to pay up to $20,000 for the discovery of some bugs in these products, and up to $100,000 for the most severe.

The security of our customers is our top priority, which is why we always take independent research very seriously. Kaspersky Lab launched the Bug Bounty Program in partnership with HackerOne back in August 2016 and since that time, we have been successful in resolving 105 bugs and vulnerabilities, paying $11,700 collectively to the researchers who discovered them.